Spring Security oauth2 with jwt, revocation of refresh token

Question

I currently have an implementation of spring security with oauth2 running on spring boot. It is working as expected, and I have set the validity of access tokens to 10 minutes and refresh tokens to 30 days.

However, I would like to be able to invalidate the refresh token if a user has lost a device and wants that client to be logged out.

My token store looks as following:

@Bean
public JwtAccessTokenConverter jwtAccessTokenConverter() {
    final JwtAccessTokenConverter jwtAccessTokenConverter = new JwtAccessTokenConverter();
    jwtAcccessTokenConverter.setSigningKey(this.secret);
    return jwtAcccessTokenConverter;
}

@Bean
public TokenStore tokenStore(){
    return new JwtTokenStore(jwtAccessTokenConverter());
}

After looking on the JwtTokenStore class the storeRefreshToken and storeAccessToken methods are blank as expected since the tokens are signed they don't have to be stored.

My plan was to store the generated refresh tokens in a database and then include this as a requirement for the refresh token to be valid.

I've been looking at the JwtTokenStore class and it looks like it can have an optional ApprovalStore. Is this the right direction to go to solve this problem?

Answer 1

I think the problem is very similar to the one described here. So you might want to look at the accepted answer.

Apart from this, I have two additional ideas I would like to share:

Delete the client

It really depends on how you use client ids. But you could, of course, delete a client - this would make the refresh process fail.

Deactivate the user

From the documentation:

if you inject a UserDetailsService or if one is configured globally anyway (e.g. in a GlobalAuthenticationManagerConfigurer) then a refresh token grant will contain a check on the user details, to ensure that the account is still active

So if you are using a UserDetailsService and your token is associated with a user you could deactivate the user to make the refresh process fail.